SlideShare a Scribd company logo

Eliminating Inter-Domain Vulnerabilities in Cyber-Physical Systems: An Analysis Contracts Approach

Ivan Ruchkin
Ivan Ruchkin

This document proposes an analysis contracts approach to address inter-domain vulnerabilities in cyber-physical systems. It describes analyzing a braking subsystem to determine sensor trustworthiness and secure control. Formal analysis contracts specify inputs, outputs, assumptions and guarantees for failure mode analysis, trustworthiness analysis and secure control analysis. The contracts approach aims to verify analyses are correctly executed to prevent vulnerabilities introduced offline from being exploited online. Future work includes developing richer behavioral and probabilistic contracts and validating the approach on other systems.

Related slideshows

Car cybersecurity: What do automakers really think?
Car cybersecurity: What do automakers really think?Car cybersecurity: What do automakers really think?
Car cybersecurity: What do automakers really think?
 
(SACON) Wayne Tufek - chapter six - dwell time
(SACON) Wayne Tufek - chapter six - dwell time(SACON) Wayne Tufek - chapter six - dwell time
(SACON) Wayne Tufek - chapter six - dwell time
 
Tech r35
Tech r35Tech r35
Tech r35
 
1 of 36
Download to read offline
Today's Date Sub Topic 1 Sub Topic 2 Sub Topic 3 Sub Topic 4 Sub Topic 5 Eliminating Inter-Domain Vulnerabilities in Cyber-Physical Systems: An Analysis Contracts Approach Ivan Ruchkin Ashwini Rao Dionisio de Niz Sagar Chaki David Garlan 1st ACM Workshop on CPS Privacy & Security Sponsors: DoD, NSF, NSA October 16, 2015 Sub Topic 1 Sub Topic 2 Sub Topic 3 Sub Topic 4 Sub Topic 5
2 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Copyright 2015 ACM This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon® is registered in the U.S. Patent and Trademark Ofce by Carnegie Mellon  University. DM-0002865
3 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion ● Safety, efficiency, fault-tolerance – Formal verification, control theory, reliability engineering, ...
4 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion
5 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Cyber-Physical Systems and Vulnerabilities ● Software-controlled distributed autonomy ● Complex physical behavior ● Diverse interactions: networks, physics, … – Potentially malicious ● Diverse attack surfaces and vulnerabilities
6 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Outline ● Security in cyber-physical systems ● Inter-domain vulnerabilities ● Analysis contracts approach ● Discussion
7 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Scenario ● One car follows another car, which is stopping. ● Senses position, distance, and velocity. ● Safety: must brake and stop without crashing. – Depends on effective control: slows down smoothly (esp. on ice) – Depends on reliability: stops even if a sensor malfunctions – Depends on sensor security: stops even if a sensor is spoofed x Distance Position Velocity
8 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Braking Subsystem Architecture Full model: github.com/bisc/collision_detection_aadl
9 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Exploiting Sensors ● Adversary models: – Knows the system's architecture – Internal or external (not all-powerful) – Spoofs data for respective sensor type ● Attack steps (online): 1. Find a vulnerable set of sensors in a car 2. Spoof all of the sensors in the set Impact: the control is misled and possibly crashes
10 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Analyses (offline) Control Analysis Failure Modes and Effects Analysis Trustworthiness Analysis
11 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Analysis 1: FMEA ● Failure Modes and Effects Analysis [Schneider1996] – Mature and common in reliability engineering ● Goals: 1. Determine most likely “failure modes” ● Configurations where some components failed 2. Augment the system to reduce failure likelihood P = 0.1 P = 0.05 P = 0.01
12 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Analysis 2: Sensor Trustworthiness ● Goal: determine trustworthiness of each sensor – Given an attacker model [Miao2013] Internal attacker External attacker
13 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Analysis 3: Secure Control ● Goals: [Fawzi2014] 1. Tune controllers and state estimators 2. Determine if control is safe and smooth ● Minimal sensor trust assumption: at least 50% sensors are providing trustworthy data (for each sensed variable)
14 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Exploiting Vulnerability minimal trust Internal attacker
15 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Exploiting Vulnerability minimal trust Internal attacker
16 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Exploiting Vulnerability minimal trust Internal attacker
17 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Exploiting Vulnerability minimal trust Internal attacker
18 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Exploiting Vulnerability minimal trust Internal attacker
19 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Problem: Inter-Domain Vulnerabilities ● Uncontrolled analysis interactions may lead to introduction of vulnerabilities into CPS. ● Cause: unsatisfied dependencies and assumptions. ● Introduced offline, exploited online.
20 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Outline ● Security in cyber-physical systems ● Inter-domain vulnerabilities ● Analysis contracts approach ● Discussion
21 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Possible Solutions ● Cybersecurity online: IDS, firewalls – Oblivious of diverse engineering analyses ● Cybersecurity offline: encryption, secure protocols, secure-by-design – May not work with physical world ● Control-theoretic CPS security [Fawzi2014] – Does not consider fault-tolerance and other factors ● Component modeling, interface theories – Focuses on system parts, not quality concerns
22 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Analysis Contracts Approach 1. Model the system's architecture 2. Formalize contracts for analyses [Ruchkin2014] ● Inputs, outputs, assumptions, guarantees 3. Execute analyses correctly (offline) ● Dependencies met ● Assumptions satisfied ● Expectation: inter-domain vulnerabilities are detected and prevented
23 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Step 1: Architecture Modeling ● AADL – Architecture Analysis and Design Language [Feiler2005] ● Provides standardized high-level vocabulary – Components and connectors: sensors, controllers, actuators, … – Properties: sensor variables, trustworthiness, attacker model, ... – Modes: configurations of components, connectors, and their properties
24 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Step 2: Analysis Contract Specification Analysis Input Output FMEA Fault-tolerance requirements Sensors, controllers, modes Trustworthiness Sensors, attacker model Sensor trustworthiness Control Sensors, controllers Control safety
25 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Analytic Dependencies Control Analysis Failure Modes and Effects Analysis Trustworthiness Analysis Sensors, controllers Sensors Sensor trustworthiness Depends on
26 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Assumptions and Guarantees ● Logically specify for each analysis ● Ctrl analysis assumption (minimal sensor trust): ● Actual second-order encoding in SMTv2:
27 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Step 3: Contract Verification ● Deterministic: first-order predicate logic – Implemented in the ACTIVE tool [Ruchkin2014] using the Z3 solver – Doesn't support second-order yet ● Probabilistic – Not fully designed, or implemented – Plan to: ● Incorporate Probabilistic Computation Tree Logic (PCTL) in the language ● Use probabilistic model checking tools: PRISM or MRMC
28 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Detecting Vulnerability minimal trust Internal attacker
29 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Outline ● Security in cyber-physical systems ● Inter-domain vulnerabilities ● Analysis contracts approach ● Discussion
30 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Limitations ● Generality – Approach applicable to other domains? ● Scalability & expressiveness – Will verification be feasible in other cases? ● Practicality – Is the up-front formal effort worth it?
31 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Future Work ● Richer contracts – Behavioral models for security – Probabilistic statements – Something else? ● Incorporating relevant domains – Suggestions? ● Validation – NOT building a self-driving car from scratch – Ideas?
32 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Summary ● Described inter-domain vulnerabilities ● Demonstrated the analysis contracts approach – Specified analysis contracts – Determined dependencies – Verified deterministic assumptions ● Future work: more models and analyses, richer contracts, and validation Email me: iruchkin@cs.cmu.edu ACTIVE tool: github.com/bisc/active Car model: github.com/bisc/collision_detection_aadl
33 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion References ● H. Schneider. Failure Mode and Effect Analysis: FMEA From Theory to Execution. Technometrics, 38(1), 1996. ● C. Miao, L. Huang, W. Guo, and H. Xu. A Trustworthiness Evaluation Method for Wireless Sensor Nodes Based on D-S Evidence Theory. In Wireless Algorithms, Systems, and Applications, Springer, 2013. ● H. Fawzi, P. Tabuada, and S. Diggavi. Secure Estimation and Control for Cyber-Physical Systems Under Adversarial Attacks. IEEE Transactions on Automatic Control, 59(6), 2014.
34 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion References (continued) ● I. Ruchkin, D. D. Niz, D. Garlan, and S. Chaki. Contract-based integration of cyber-physical analyses. In Proceedings of the 14th International Conference on Embedded Software. ACM Press, 2014. ● I. Ruchkin, D. De Niz, S. Chaki, and D. Garlan. ACTIVE: A Tool for Integrating Analysis Contracts. In The 5th Analytic Virtual Integration of Cyber-Physical Systems Workshop, Rome, Italy, 2014. ● P. H. Feiler, B. Lewis, S. Vestal, and E. Colbert. An Overview of the SAE Architecture Analysis & Design Language (AADL) Standard: A Basis for Model-Based Architecture-Driven Embedded Systems Engineering. In Architecture Description Languages. Springer Science, 2005. ● R. Nieuwenhuis, A. Oliveras, C. Tinelli. Solving SAT and SAT Modulo Theories: From an Abstract Davis–Putnam–Logemann–Loveland Procedure to DPLL(T). In Journal of the ACM, 2006. ● L. de Moura and N. Bjrner. Z3: An Efficient SMT Solver. In Lecture Notes in Computer Science, pages 337{340. Springer, 2008.
35 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion AADL Example
36 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Probabilistic Contracts ● Reliability assumption: “probabilities of sensors not working are independent.” ● Security assumption: “probabilities of sensors not working are dependent.”

More Related Content

Eliminating Inter-Domain Vulnerabilities in Cyber-Physical Systems: An Analysis Contracts Approach

  • 1. Today's Date Sub Topic 1 Sub Topic 2 Sub Topic 3 Sub Topic 4 Sub Topic 5 Eliminating Inter-Domain Vulnerabilities in Cyber-Physical Systems: An Analysis Contracts Approach Ivan Ruchkin Ashwini Rao Dionisio de Niz Sagar Chaki David Garlan 1st ACM Workshop on CPS Privacy & Security Sponsors: DoD, NSF, NSA October 16, 2015 Sub Topic 1 Sub Topic 2 Sub Topic 3 Sub Topic 4 Sub Topic 5
  • 2. 2 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Copyright 2015 ACM This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon® is registered in the U.S. Patent and Trademark Ofce by Carnegie Mellon  University. DM-0002865
  • 3. 3 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion ● Safety, efficiency, fault-tolerance – Formal verification, control theory, reliability engineering, ...
  • 4. 4 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion
  • 5. 5 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Cyber-Physical Systems and Vulnerabilities ● Software-controlled distributed autonomy ● Complex physical behavior ● Diverse interactions: networks, physics, … – Potentially malicious ● Diverse attack surfaces and vulnerabilities
  • 6. 6 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Outline ● Security in cyber-physical systems ● Inter-domain vulnerabilities ● Analysis contracts approach ● Discussion
  • 7. 7 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Scenario ● One car follows another car, which is stopping. ● Senses position, distance, and velocity. ● Safety: must brake and stop without crashing. – Depends on effective control: slows down smoothly (esp. on ice) – Depends on reliability: stops even if a sensor malfunctions – Depends on sensor security: stops even if a sensor is spoofed x Distance Position Velocity
  • 8. 8 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Braking Subsystem Architecture Full model: github.com/bisc/collision_detection_aadl
  • 9. 9 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Exploiting Sensors ● Adversary models: – Knows the system's architecture – Internal or external (not all-powerful) – Spoofs data for respective sensor type ● Attack steps (online): 1. Find a vulnerable set of sensors in a car 2. Spoof all of the sensors in the set Impact: the control is misled and possibly crashes
  • 10. 10 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Analyses (offline) Control Analysis Failure Modes and Effects Analysis Trustworthiness Analysis
  • 11. 11 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Analysis 1: FMEA ● Failure Modes and Effects Analysis [Schneider1996] – Mature and common in reliability engineering ● Goals: 1. Determine most likely “failure modes” ● Configurations where some components failed 2. Augment the system to reduce failure likelihood P = 0.1 P = 0.05 P = 0.01
  • 12. 12 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Analysis 2: Sensor Trustworthiness ● Goal: determine trustworthiness of each sensor – Given an attacker model [Miao2013] Internal attacker External attacker
  • 13. 13 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Analysis 3: Secure Control ● Goals: [Fawzi2014] 1. Tune controllers and state estimators 2. Determine if control is safe and smooth ● Minimal sensor trust assumption: at least 50% sensors are providing trustworthy data (for each sensed variable)
  • 14. 14 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Exploiting Vulnerability minimal trust Internal attacker
  • 15. 15 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Exploiting Vulnerability minimal trust Internal attacker
  • 16. 16 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Exploiting Vulnerability minimal trust Internal attacker
  • 17. 17 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Exploiting Vulnerability minimal trust Internal attacker
  • 18. 18 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Exploiting Vulnerability minimal trust Internal attacker
  • 19. 19 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Problem: Inter-Domain Vulnerabilities ● Uncontrolled analysis interactions may lead to introduction of vulnerabilities into CPS. ● Cause: unsatisfied dependencies and assumptions. ● Introduced offline, exploited online.
  • 20. 20 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Outline ● Security in cyber-physical systems ● Inter-domain vulnerabilities ● Analysis contracts approach ● Discussion
  • 21. 21 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Possible Solutions ● Cybersecurity online: IDS, firewalls – Oblivious of diverse engineering analyses ● Cybersecurity offline: encryption, secure protocols, secure-by-design – May not work with physical world ● Control-theoretic CPS security [Fawzi2014] – Does not consider fault-tolerance and other factors ● Component modeling, interface theories – Focuses on system parts, not quality concerns
  • 22. 22 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Analysis Contracts Approach 1. Model the system's architecture 2. Formalize contracts for analyses [Ruchkin2014] ● Inputs, outputs, assumptions, guarantees 3. Execute analyses correctly (offline) ● Dependencies met ● Assumptions satisfied ● Expectation: inter-domain vulnerabilities are detected and prevented
  • 23. 23 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Step 1: Architecture Modeling ● AADL – Architecture Analysis and Design Language [Feiler2005] ● Provides standardized high-level vocabulary – Components and connectors: sensors, controllers, actuators, … – Properties: sensor variables, trustworthiness, attacker model, ... – Modes: configurations of components, connectors, and their properties
  • 24. 24 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Step 2: Analysis Contract Specification Analysis Input Output FMEA Fault-tolerance requirements Sensors, controllers, modes Trustworthiness Sensors, attacker model Sensor trustworthiness Control Sensors, controllers Control safety
  • 25. 25 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Analytic Dependencies Control Analysis Failure Modes and Effects Analysis Trustworthiness Analysis Sensors, controllers Sensors Sensor trustworthiness Depends on
  • 26. 26 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Assumptions and Guarantees ● Logically specify for each analysis ● Ctrl analysis assumption (minimal sensor trust): ● Actual second-order encoding in SMTv2:
  • 27. 27 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Step 3: Contract Verification ● Deterministic: first-order predicate logic – Implemented in the ACTIVE tool [Ruchkin2014] using the Z3 solver – Doesn't support second-order yet ● Probabilistic – Not fully designed, or implemented – Plan to: ● Incorporate Probabilistic Computation Tree Logic (PCTL) in the language ● Use probabilistic model checking tools: PRISM or MRMC
  • 28. 28 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Detecting Vulnerability minimal trust Internal attacker
  • 29. 29 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Outline ● Security in cyber-physical systems ● Inter-domain vulnerabilities ● Analysis contracts approach ● Discussion
  • 30. 30 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Limitations ● Generality – Approach applicable to other domains? ● Scalability & expressiveness – Will verification be feasible in other cases? ● Practicality – Is the up-front formal effort worth it?
  • 31. 31 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Future Work ● Richer contracts – Behavioral models for security – Probabilistic statements – Something else? ● Incorporating relevant domains – Suggestions? ● Validation – NOT building a self-driving car from scratch – Ideas?
  • 32. 32 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Summary ● Described inter-domain vulnerabilities ● Demonstrated the analysis contracts approach – Specified analysis contracts – Determined dependencies – Verified deterministic assumptions ● Future work: more models and analyses, richer contracts, and validation Email me: iruchkin@cs.cmu.edu ACTIVE tool: github.com/bisc/active Car model: github.com/bisc/collision_detection_aadl
  • 33. 33 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion References ● H. Schneider. Failure Mode and Effect Analysis: FMEA From Theory to Execution. Technometrics, 38(1), 1996. ● C. Miao, L. Huang, W. Guo, and H. Xu. A Trustworthiness Evaluation Method for Wireless Sensor Nodes Based on D-S Evidence Theory. In Wireless Algorithms, Systems, and Applications, Springer, 2013. ● H. Fawzi, P. Tabuada, and S. Diggavi. Secure Estimation and Control for Cyber-Physical Systems Under Adversarial Attacks. IEEE Transactions on Automatic Control, 59(6), 2014.
  • 34. 34 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion References (continued) ● I. Ruchkin, D. D. Niz, D. Garlan, and S. Chaki. Contract-based integration of cyber-physical analyses. In Proceedings of the 14th International Conference on Embedded Software. ACM Press, 2014. ● I. Ruchkin, D. De Niz, S. Chaki, and D. Garlan. ACTIVE: A Tool for Integrating Analysis Contracts. In The 5th Analytic Virtual Integration of Cyber-Physical Systems Workshop, Rome, Italy, 2014. ● P. H. Feiler, B. Lewis, S. Vestal, and E. Colbert. An Overview of the SAE Architecture Analysis & Design Language (AADL) Standard: A Basis for Model-Based Architecture-Driven Embedded Systems Engineering. In Architecture Description Languages. Springer Science, 2005. ● R. Nieuwenhuis, A. Oliveras, C. Tinelli. Solving SAT and SAT Modulo Theories: From an Abstract Davis–Putnam–Logemann–Loveland Procedure to DPLL(T). In Journal of the ACM, 2006. ● L. de Moura and N. Bjrner. Z3: An Efficient SMT Solver. In Lecture Notes in Computer Science, pages 337{340. Springer, 2008.
  • 35. 35 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion AADL Example
  • 36. 36 Today's Date Contents Cyber-Physical Systems Vulnerabilities Analysis Contracts Discussion Probabilistic Contracts ● Reliability assumption: “probabilities of sensors not working are independent.” ● Security assumption: “probabilities of sensors not working are dependent.”